CVE-2021-34580 (GCVE-0-2021-34580)
Vulnerability from cvelistv5
Published
2021-10-27 10:25
Modified
2024-09-17 01:41
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE
  • CWE-204 - Response Discrepancy Information Exposure
Summary
In mymbCONNECT24, mbCONNECT24 <= 2.9.0 an unauthenticated user can enumerate valid backend users by checking what kind of response the server sends for crafted invalid login attempts.
References
Impacted products
Vendor Product Version
MB connect line mymbCONNECT24 Version: 2.9.0   <
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T00:19:46.999Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://cert.vde.com/en/advisories/VDE-2021-037/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mymbCONNECT24",
          "vendor": "MB connect line",
          "versions": [
            {
              "lessThanOrEqual": "2.9.0",
              "status": "affected",
              "version": "2.9.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "mbCONNECT24",
          "vendor": "MB connect line",
          "versions": [
            {
              "lessThanOrEqual": "2.9.0",
              "status": "affected",
              "version": "2.9.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "LEWA Attendorn GmbH reported the vulnerability to MB connect line. CERT@VDE coordinated."
        }
      ],
      "datePublic": "2021-10-27T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In mymbCONNECT24, mbCONNECT24 \u003c= 2.9.0 an unauthenticated user can enumerate valid backend users by checking what kind of response the server sends for crafted invalid login attempts."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-204",
              "description": "CWE-204 Response Discrepancy Information Exposure",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-10-27T10:25:09",
        "orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
        "shortName": "CERTVDE"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://cert.vde.com/en/advisories/VDE-2021-037/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Update to version 2.10.1"
        }
      ],
      "source": {
        "advisory": "VDE-2021-030",
        "discovery": "EXTERNAL"
      },
      "title": "Remote user enumeration in mymbCONNECT24, mbCONNECT24 \u003c= 2.9.0",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "info@cert.vde.com",
          "DATE_PUBLIC": "2021-10-27T10:00:00.000Z",
          "ID": "CVE-2021-34580",
          "STATE": "PUBLIC",
          "TITLE": "Remote user enumeration in mymbCONNECT24, mbCONNECT24 \u003c= 2.9.0"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "mymbCONNECT24",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "2.9.0",
                            "version_value": "2.9.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "mbCONNECT24",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "2.9.0",
                            "version_value": "2.9.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "MB connect line"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "LEWA Attendorn GmbH reported the vulnerability to MB connect line. CERT@VDE coordinated."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In mymbCONNECT24, mbCONNECT24 \u003c= 2.9.0 an unauthenticated user can enumerate valid backend users by checking what kind of response the server sends for crafted invalid login attempts."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-204 Response Discrepancy Information Exposure"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://cert.vde.com/en/advisories/VDE-2021-037/",
              "refsource": "CONFIRM",
              "url": "https://cert.vde.com/en/advisories/VDE-2021-037/"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Update to version 2.10.1"
          }
        ],
        "source": {
          "advisory": "VDE-2021-030",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
    "assignerShortName": "CERTVDE",
    "cveId": "CVE-2021-34580",
    "datePublished": "2021-10-27T10:25:09.307226Z",
    "dateReserved": "2021-06-10T00:00:00",
    "dateUpdated": "2024-09-17T01:41:24.149Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-34580\",\"sourceIdentifier\":\"info@cert.vde.com\",\"published\":\"2021-10-27T11:15:07.553\",\"lastModified\":\"2024-11-21T06:10:44.700\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In mymbCONNECT24, mbCONNECT24 \u003c= 2.9.0 an unauthenticated user can enumerate valid backend users by checking what kind of response the server sends for crafted invalid login attempts.\"},{\"lang\":\"es\",\"value\":\"En mymbCONNECT24, mbCONNECT24 versiones anteriores a 2.9.0 incluy\u00e9ndola, un usuario no autenticado puede enumerar los usuarios v\u00e1lidos del backend al comprobar qu\u00e9 tipo de respuesta env\u00eda el servidor para los intentos de inicio de sesi\u00f3n no v\u00e1lidos dise\u00f1ados\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"info@cert.vde.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"info@cert.vde.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-204\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-203\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mbconnectline:mbconnect24:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.9.0\",\"matchCriteriaId\":\"C6FA138E-7298-488C-91CB-27A3AE49AA3C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mbconnectline:mymbconnect24:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.9.0\",\"matchCriteriaId\":\"6149BB15-4765-4412-A071-C7880A52E3B3\"}]}]}],\"references\":[{\"url\":\"https://cert.vde.com/en/advisories/VDE-2021-037/\",\"source\":\"info@cert.vde.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://cert.vde.com/en/advisories/VDE-2021-037/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.